Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>Using keys is ever-so-slightly less convenient at setup

And it's easier once it's setup. I don't have punch in a password any time I need to make a server change.



More importantly, it is far easier to revoke on a person-to-person basis even on the same account.

If you use password auth and some accounts have a password that is shared knowledge (root, anyone?), you have to change all passwords once one persons permissions change.

In practice, revoking public keys is a problem for many companies already as I found out when my private key was stolen a while ago. (on an encrypted drive, but paranoia is paranoia)


Don't forget that makes you more vulnerable to malware on the client, which now has easy access to your keys, and your known_hosts file (which gives the attacker a convenient list of servers to attempt to log into using those keys.)


Yes, this is why having a passphrase on your key is recommended. The idea is not to use keys instead of passwords, but in addition to: the password protects the private key locally, which is used to authenticate to the server. However that seems to be uncommon practice.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: